Some thoughts on CFO's Cloud Questions Article

Yesterday I ran across this article at CFO.com. As someone who
started in this industry nearly two decades ago and planted firmly in
the cloud, I’ve a few observations and admonitions.

On Question One:

Yes, by all means compare TCO. But be sure to compare it accurately.
This will mean learning more about what your IT group so they can answer
the questions you need to ask them. The article makes a critical mistake
in assuming and asserting that the cloud makes it easier to know what
your cost is because you get a bill.

I say this because while it should be obvious, that bill doesn’t cover
the cost of getting to the cloud, or the cost of the people and the
investment into said people, that keep your business running in the
cloud. The cloud doesn’t get rid of your people. I would hope that a CFO
would know this and take that into account, but that isn’t always the
case.

On Question Two:

Does the CFO have the skills to “manage the cloud”? I’d bet more often
than not they do not have those skills - that is why they are the CFO
instead of the CIO! The proper answer here is to work with the CIO on
tracking needs, growth, and changes in business regarding how and when
to use the cloud - and what cloud to use. The CFO’s job is not to manage
IT. Keep that in mind as it will resurface.

On Question Three:

I’ve got a particular nit to pick here, but it is a big one. The article
asserts the following:

“but it’s up to CFOs to vet their providers’ security and make sure
their certifications, policies, and procedures fulfill their
businesses’ regulatory requirements”.

No, no it isn’t. Again, CFOs by and large do not have the skills to
analyze the security practices and options of cloud providers. It should
be the security team, or at a minimum, the CIO who vets the vendor for
security. Considering that most reasonable CIOs would turn this over to
their security experts, the idea that the CFO should be taking over this
role is ludicrous and dangerous.

Further, it should be legal’s job to confirm that regulatory
requirements are met. Unless CFOs are getting trained in security and
legal review of regulatory requirements and how well a potential vendor
can address those, they should not be expected, or even allowed, to do
those things.